-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Hardware Security Module support for keys hydra.openid.id-token, hydr…
…a.jwt.access-token
- Loading branch information
Showing
17 changed files
with
480 additions
and
68 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
FROM golang:1.16-alpine AS builder | ||
|
||
RUN apk -U --no-cache add build-base git gcc bash | ||
|
||
WORKDIR /go/src/github.com/ory/hydra | ||
|
||
ADD go.mod go.mod | ||
ADD go.sum go.sum | ||
|
||
ENV GO111MODULE on | ||
ENV CGO_ENABLED 1 | ||
|
||
RUN go mod download | ||
|
||
ADD . . | ||
|
||
RUN go build -tags sqlite -o /usr/bin/hydra | ||
|
||
FROM alpine:3.13.4 | ||
|
||
RUN apk -U --no-cache add softhsm opensc | ||
|
||
RUN pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --slot 0 --init-token --so-pin 0000 --init-pin --pin 1234 --label hydra \ | ||
&& pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so \ | ||
--login --pin 1234 --token-label hydra \ | ||
--keypairgen --key-type rsa:4096 --usage-sign \ | ||
--label hydra.openid.id-token --id 68796472612e6f70656e69642e69642d746f6b656e \ | ||
&& pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so \ | ||
--login --pin 1234 --token-label hydra \ | ||
--keypairgen --key-type rsa:4096 --usage-sign \ | ||
--label hydra.jwt.access-token --id 68796472612e6a77742e6163636573732d746f6b656e | ||
|
||
RUN addgroup -S ory; \ | ||
adduser -S ory -G ory -D -h /home/ory -s /bin/nologin; \ | ||
chown -R ory:ory /home/ory; \ | ||
chown -R ory:ory /var/lib/softhsm/tokens | ||
|
||
COPY --from=builder /usr/bin/hydra /usr/bin/hydra | ||
|
||
# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which | ||
# is required for read/write of SQLite. | ||
RUN mkdir -p /var/lib/sqlite | ||
RUN chown ory:ory /var/lib/sqlite | ||
VOLUME /var/lib/sqlite | ||
|
||
# Exposing the ory home directory to simplify passing in hydra configuration (e.g. if the file $HOME/.hydra.yaml | ||
# exists, it will be automatically used as the configuration file). | ||
VOLUME /home/ory | ||
|
||
# Declare the standard ports used by hydra (4433 for public service endpoint, 4434 for admin service endpoint) | ||
EXPOSE 4444 4445 | ||
|
||
USER ory | ||
|
||
ENTRYPOINT ["hydra"] | ||
CMD ["serve"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
--- | ||
id: hsm | ||
title: Hardware Security Module support for JSON Web Key Sets | ||
--- | ||
|
||
The PKCS#11 Cryptographic Token Interface Standard, also known as Cryptoki, is one of the Public Key Cryptography Standards developed by RSA Security. PKCS#11 defines the interface between an application and a cryptographic device. | ||
|
||
PKCS#11 is used as a low-level interface to perform cryptographic operations without the need for the application to directly interface a device through its driver. PKCS#11 represents cryptographic devices using a common model referred to simply as a token. An application can therefore perform cryptographic operations on any device or token, using the same independent command set. | ||
|
||
### HSM configuration | ||
``` | ||
HSM_ENABLED=true | ||
HSM_LIBRARY=/path/to/hsm-vendor/library.so | ||
HSM_TOKEN_LABEL=hydra | ||
HSM_PIN=1234 | ||
``` | ||
|
||
It is expected that token with label `hydra` contains RSA key pairs with labels `hydra.openid.id-token` and additionally `hydra.jwt.access-token` depending on ORY Hydra configuration. | ||
|
||
When generating keys on HSM, key `id` is used as `kid` in JSON Web Key Set. | ||
|
||
### Testing with SoftHSM | ||
|
||
Change into the directory with the Hydra source code and run the following | ||
command to start the needed containers with SoftHSM support: | ||
|
||
```shell | ||
$ docker-compose -f quickstart-hsm.yml up --build | ||
``` | ||
|
||
On start up, ORY Hydra should inform if HSM is configured. Let's take a look at the logs: | ||
|
||
```shell | ||
$ docker logs ory-hydra-example--hydra | ||
time="2021-07-07T12:51:23Z" level=info msg="Hardware Security Module is configured." | ||
time="2021-07-07T12:51:23Z" level=info msg="Using key pair 'hydra.openid.id-token' from Hardware Security Module." | ||
time="2021-07-07T12:51:23Z" level=info msg="Using key pair 'hydra.jwt.access-token' from Hardware Security Module." | ||
``` | ||
|
||
### Generating key pairs | ||
|
||
Depending on HSM vendor, tools generating/importing keys vary. Let's take a look how key pairs are generated in HSM quickstart container using `pkcs11-tool` from OpenSC: | ||
|
||
Creating token | ||
```shell | ||
$ pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --slot 0 --init-token --so-pin 0000 --init-pin --pin 1234 --label hydra | ||
|
||
Using slot 0 with a present token (0x2763db07) | ||
Token successfully initialized | ||
User PIN successfully initialized | ||
``` | ||
|
||
Where parameter `--label hydra` value corresponds to value used in configuration `HSM_TOKEN_LABEL` and `--pin 1234` to `HSM_PIN` | ||
|
||
Generating keypair for JSON Web Key `hydra.openid.id-token` | ||
```shell | ||
$ pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so \ | ||
--login --pin 1234 --token-label hydra \ | ||
--keypairgen --key-type rsa:4096 --usage-sign \ | ||
--label hydra.openid.id-token --id 68796472612e6f70656e69642e69642d746f6b656e | ||
|
||
Key pair generated: | ||
Private Key Object; RSA | ||
label: hydra.openid.id-token | ||
ID: 68796472612e6f70656e69642e69642d746f6b656e | ||
Usage: decrypt, sign, unwrap | ||
Public Key Object; RSA 4096 bits | ||
label: hydra.openid.id-token | ||
ID: 68796472612e6f70656e69642e69642d746f6b656e | ||
Usage: encrypt, verify, wrap | ||
``` | ||
|
||
Where parameter `--id 68796472612e6f70656e69642e69642d746f6b656e` is the value used as `kid` in JSON Web Key Set. It must be set as a big-endian hexadecimal integer value. | ||
|
||
Generating keypair for JSON Web Key `hydra.openid.id-token` | ||
```shell | ||
$ pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so \ | ||
--login --pin 1234 --token-label hydra \ | ||
--keypairgen --key-type rsa:4096 --usage-sign \ | ||
--label hydra.jwt.access-token --id 68796472612e6a77742e6163636573732d746f6b656e | ||
|
||
Key pair generated: | ||
Private Key Object; RSA | ||
label: hydra.jwt.access-token | ||
ID: 68796472612e6a77742e6163636573732d746f6b656e | ||
Usage: decrypt, sign, unwrap | ||
Public Key Object; RSA 4096 bits | ||
label: hydra.jwt.access-token | ||
ID: 68796472612e6a77742e6163636573732d746f6b656e | ||
Usage: encrypt, verify, wrap | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.